MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 cf0b984faaf9ff83f1dc5e7e8a8604338458882ce8a0547ec1f381f0c30ecb5d. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


Formbook


Vendor detections: 16


Intelligence 16 IOCs YARA 8 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: cf0b984faaf9ff83f1dc5e7e8a8604338458882ce8a0547ec1f381f0c30ecb5d
SHA3-384 hash: fdd4a0fd2526fcdc247119e6fadb9810d02bfeec55d265e81ce6e5c91290daf7f02f48344e2dbb020344866f713f7afc
SHA1 hash: 9db80910e3cc4475f82a96d18ef195cf8ed09476
MD5 hash: 62e3e2ddab3311f5d2cfe86fe16b65be
humanhash: eighteen-early-bravo-blue
File name:cf0b984faaf9ff83f1dc5e7e8a8604338458882ce8a0547ec1f381f0c30ecb5d
Download: download sample
Signature Formbook
Create hunting rule
File size:793'088 bytes
First seen:2024-06-04 10:51:30 UTC
Last seen:2024-06-04 11:39:21 UTC
File type:Executable exe
MIME type:application/x-dosexec
imphash f34d5f2d4577ed6d9ceec516c1f5a744 (48'666 x AgentTesla, 19'479 x Formbook, 12'209 x SnakeKeylogger)
ssdeep 12288:b3bimfDdGWAKxN4z9Fq5S3oA1v5n5l4HrGP+X3BmYNj7wBaHM6GXbUmBQ7fJDNk/:b3ddBxN4zjWYOrGGX37Nj7gaHM9LUm
TLSH T194F4DFAC325076DFC85BCD768EA45C64AA6074B7431BD643A01716EC9A0DAEBCF241F3
TrID 60.4% (.EXE) Generic CIL Executable (.NET, Mono, etc.) (73123/4/13)
10.8% (.SCR) Windows screen saver (13097/50/3)
8.7% (.EXE) Win64 Executable (generic) (10523/12/4)
5.4% (.DLL) Win32 Dynamic Link Library (generic) (6578/25/2)
4.1% (.EXE) Win16 NE executable (generic) (5038/12/1)
Reporter adrian__luca
Tags:exe FormBook

Intelligence

File Origin
# of uploads :
2
# of downloads :
341
Origin country :
HU HU
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
cf0b984faaf9ff83f1dc5e7e8a8604338458882ce8a0547ec1f381f0c30ecb5d
Verdict:
Suspicious activity
Analysis date:
2024-06-04 10:51:41 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/4a2da30f-30e8-4fff-9612-370babca8bb7

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection(s):
SecuriteInfo.com.Win32.PWSX-gen.24548.11639.UNOFFICIAL
Create hunting rule

Verdict:
Malicious
Score:
92.5%
Link:
https://cyber-fortress.com/docs/result/index.php?id=665eff439eda7055042785fbwin7simulatehigh_evasion
Tags:
Heur
Result
Verdict:
Malware
Maliciousness:

Behaviour
Searching for the window
Сreating synchronization primitives
Searching for synchronization primitives
Creating a window
Unauthorized injection to a recently created process
Restart of the analyzed sample
Creating a file
Launching the default Windows debugger (dwwin.exe)
Verdict:
Suspicious
Threat level:
  5/10
Confidence:
100%
Tags:
packed
Link:
https://www.filescan.io/uploads/665ef1d56be3b3c7c233134d/reports/e12004e8-6748-43a2-b57d-0d84f81cfedb/overview
Verdict:
Malicious
Labled as:
Trojan.Generic
Link:
https://www.hybrid-analysis.com/sample/cf0b984faaf9ff83f1dc5e7e8a8604338458882ce8a0547ec1f381f0c30ecb5d
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Malware family:
Agent Tesla
Create hunting rule
Verdict:
Malicious
Link:
https://analyze.intezer.com/analyses/3260d7c7-3adc-43da-9620-5a3e94b608fc
Result
Threat name:
FormBook
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/1451644
Signature
.NET source code contains potential unpacker
AI detected suspicious sample
Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Found direct / indirect Syscall (likely to bypass EDR)
Injects a PE file into a foreign processes
Machine Learning detection for sample
Malicious sample detected (through community Yara rule)
Maps a DLL or memory area into another process
Modifies the context of a thread in another process (thread injection)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for submitted file
Performs DNS queries to domains with low reputation
Queues an APC in another process (thread injection)
Snort IDS alert for network traffic
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Yara detected AntiVM3
Yara detected FormBook
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1451644 Sample: Ur5XgusfXC.exe Startdate: 04/06/2024 Architecture: WINDOWS Score: 100 31 www.d99qtpkvavjj.xyz 2->31 33 www.cloudsoda.xyz 2->33 35 21 other IPs or domains 2->35 45 Snort IDS alert for network traffic 2->45 47 Multi AV Scanner detection for domain / URL 2->47 49 Malicious sample detected (through community Yara rule) 2->49 53 8 other signatures 2->53 10 Ur5XgusfXC.exe 3 2->10         started        signatures3 51 Performs DNS queries to domains with low reputation 33->51 process4 file5 29 C:\Users\user\AppData\...\Ur5XgusfXC.exe.log, ASCII 10->29 dropped 65 Detected unpacking (changes PE section rights) 10->65 67 Detected unpacking (overwrites its own PE header) 10->67 69 Injects a PE file into a foreign processes 10->69 14 Ur5XgusfXC.exe 10->14         started        signatures6 process7 signatures8 71 Maps a DLL or memory area into another process 14->71 17 yqyfrCKPFdZUciSVDCl.exe 14->17 injected process9 signatures10 43 Found direct / indirect Syscall (likely to bypass EDR) 17->43 20 convert.exe 13 17->20         started        process11 signatures12 55 Tries to steal Mail credentials (via file / registry access) 20->55 57 Tries to harvest and steal browser information (history, passwords, etc) 20->57 59 Modifies the context of a thread in another process (thread injection) 20->59 61 2 other signatures 20->61 23 yqyfrCKPFdZUciSVDCl.exe 20->23 injected 27 firefox.exe 20->27         started        process13 dnsIp14 37 www.firmshow.top 203.161.43.228, 49752, 49753, 49754 VNPT-AS-VNVNPTCorpVN Malaysia 23->37 39 8418a72e.jl800.vip.cname.scname.com 65.181.132.188, 49756, 49757, 49758 PAIR-NETWORKSUS United States 23->39 41 8 other IPs or domains 23->41 63 Found direct / indirect Syscall (likely to bypass EDR) 23->63 signatures15
Score:
100%
Verdict:
Malware
File Type:
PE
Link:
https://malprob.io/report/cf0b984faaf9ff83f1dc5e7e8a8604338458882ce8a0547ec1f381f0c30ecb5d
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/cf0b984faaf9ff83f1dc5e7e8a8604338458882ce8a0547ec1f381f0c30ecb5d/
Threat name:
Win32.Trojan.Jalapeno
Create hunting rule
Status:
Malicious
First seen:
2024-05-24 02:48:52 UTC
File Type:
PE (.Net Exe)
Extracted files:
8
AV detection:
26 of 38 (68.42%)
Threat level:
  5/5
Detection(s):
Suspicious file
Link:
https://check.spamhaus.org/check/?searchterm=z4fzqt5k7h7yh4o4lz7ivbqegocfrcbm5cqfi7wb6oa7bqyoznoq._file
Verdict:
malicious
Label(s):
formbook
Create hunting rule
Result
Malware family:
n/a
Score:
  5/10
Tags:
n/a
Link:
https://tria.ge/reports/240604-myc3asec87/
Behaviour
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Program crash
Suspicious use of SetThreadContext
Verdict:
Suspicious
Tags:
n/a
YARA:
n/a
Link:
https://app.threat.zone/submission/babe7dec-bfb7-4129-8b82-ef95db623cf5
Unpacked files
SH256 hash:
c7e1bc35fc5db6b6a10dc24ed67438c45109603e20e43e719bbe869b28cf46b6
MD5 hash:
9bb8173f7accbd5b1c820ecc9e413b46
SHA1 hash:
d19fa105faaec657848f6d297b3bfb88b4ec58f6
Detections:
win_formbook_w0
Create hunting rule
win_formbook_g0
Create hunting rule
Link:
https://www.unpac.me/results/24e5ff51-5782-487b-beef-bd738f5ea537/
Parent samples :
cf0b984faaf9ff83f1dc5e7e8a8604338458882ce8a0547ec1f381f0c30ecb5d
467803efbe8c9637962cd2141757f7cdd184cc57f46d75fa8b074bd81229a3f1
SH256 hash:
9f893195c4d8f5d2415dd084908ed11b93fc43315bf6155991c6f77001d0aa94
MD5 hash:
d18279ae3e9c00d067ff9f15c9c1c317
SHA1 hash:
ec9129501ddb4eed1a4de3bea0aa8edbe2015515
Link:
https://www.unpac.me/results/24e5ff51-5782-487b-beef-bd738f5ea537/
SH256 hash:
af9ec0bf0b6f6663f6c3fd3e403f873ad8979e3b9774dfec810f8294e125e87c
MD5 hash:
c06d88bbb18e2f934913583509ecd71d
SHA1 hash:
fb5f7805f3504523b40b07d1b9deecff3fb4e1f1
Link:
https://www.unpac.me/results/24e5ff51-5782-487b-beef-bd738f5ea537/
SH256 hash:
0b7dcc18b0ef39734a24ca5923b02df82c670d08365fe376f2ed4ff9fcbc6303
MD5 hash:
0441cc0dacc6d821252e66a156b1d9bd
SHA1 hash:
df46cc702950a53a5de7b804d2076ef03f8ac6b4
Link:
https://www.unpac.me/results/24e5ff51-5782-487b-beef-bd738f5ea537/
SH256 hash:
4d7851db6d639302ef8d2c2c6a0f427584aecee22e4ecb589e460f1252ab9517
MD5 hash:
7a0892ff038e650b7bdf7efb7fe8497d
SHA1 hash:
24532bfe5e63a296b0de40a3e9b510b796047b28
Link:
https://www.unpac.me/results/24e5ff51-5782-487b-beef-bd738f5ea537/
SH256 hash:
999404aaf9f386397bdaf72669d959cfa556c27f42575ccc1de8b6762aa9dd11
MD5 hash:
7743275d3a7a022e52383126ef41d44d
SHA1 hash:
b154c41ba616a7a38fb18745648940bc3417e5b1
Link:
https://www.unpac.me/results/24e5ff51-5782-487b-beef-bd738f5ea537/
SH256 hash:
8094cc75a778164a9dbd5fabf2195ab2efacad4090ec0ff07d99fb67f5cd3796
MD5 hash:
688d1b1ef74ae6acc3c610c7b383ca41
SHA1 hash:
8e32eb391ab2fbcb7972f000aed6050b418daf11
Link:
https://www.unpac.me/results/24e5ff51-5782-487b-beef-bd738f5ea537/
SH256 hash:
cf07b0fba6e176c05ba9fe0e5ad0a7792179838fc9ca8466701b2090b5281dc7
MD5 hash:
489f7953c86b554663343f973131ae6e
SHA1 hash:
8783e0dc769bf9f3fa80337cbd4aa034a6c9f534
Link:
https://www.unpac.me/results/24e5ff51-5782-487b-beef-bd738f5ea537/
SH256 hash:
de9f612e6f61ef820e0b62e4faa8ca67c5bca6364ab41f845e83649a685e1f00
MD5 hash:
90fed9cbc1a90dbb488693b9a0f602a6
SHA1 hash:
65b2c9ce1e5e7206b08e14e9b7fa46bd0eea9691
Link:
https://www.unpac.me/results/24e5ff51-5782-487b-beef-bd738f5ea537/
SH256 hash:
4c64f2275d88769dfd81c8a93200ce1e39213a25b689d8910fd78b3c7564f379
MD5 hash:
beb00a6df4230e585b5c50a105b42df4
SHA1 hash:
551f9d9e91282b4305a51fea5e2c543f2d6c1cea
Link:
https://www.unpac.me/results/24e5ff51-5782-487b-beef-bd738f5ea537/
SH256 hash:
f7457a634001243829457aaf5b25c47b54d39decb4e2cf4a7a79acef147b6c1d
MD5 hash:
2fadc48773902a7b505b6e06086eeb3b
SHA1 hash:
251cb7b528fddaa863e6d56310536831ada8ba2a
Link:
https://www.unpac.me/results/24e5ff51-5782-487b-beef-bd738f5ea537/
SH256 hash:
cf0b984faaf9ff83f1dc5e7e8a8604338458882ce8a0547ec1f381f0c30ecb5d
MD5 hash:
62e3e2ddab3311f5d2cfe86fe16b65be
SHA1 hash:
9db80910e3cc4475f82a96d18ef195cf8ed09476
Link:
https://www.unpac.me/results/24e5ff51-5782-487b-beef-bd738f5ea537/
Verdict:
Malicious
Link:
https://www.vmray.com/analyses/_mb/cf0b984faaf9/report/overview.html
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Suspicious File
Score:
0.65
Link:
https://yomi.yoroi.company/submissions/cf0b984faaf9ff83f1dc5e7e8a8604338458882ce8a0547ec1f381f0c30ecb5d

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:maldoc_getEIP_method_1
Create hunting rule
Author:Didier Stevens (https://DidierStevens.com)
Rule name:meth_get_eip
Create hunting rule
Author:Willi Ballenthin
Rule name:NET
Create hunting rule
Author:malware-lu
Rule name:pe_imphash
Create hunting rule
Rule name:pe_no_import_table
Create hunting rule
Description:Detect pe file that no import table
Rule name:shellcode
Create hunting rule
Author:nex
Description:Matched shellcode byte patterns
Rule name:Skystars_Malware_Imphash
Create hunting rule
Author:Skystars LightDefender
Description:imphash

File information

The table below shows additional information about this malware sample such as delivery method and external references.

BLint

The following table provides more information about this file using BLint. BLint is a Binary Linter to check the security properties, and capabilities in executables.

Findings
IDTitleSeverity
CHECK_AUTHENTICODEMissing Authenticodehigh
CHECK_DLL_CHARACTERISTICSMissing dll Security Characteristics (HIGH_ENTROPY_VA)high

Comments